Phishing retained its place as the top root cause of data compromises, according to new data from the Identity Theft Resource Center (ITRC).

Ransomware attacks leading to data breaches fell 20% in the second quarter of 2022 compared with the first quarter and dropped quarter over quarter, according to new data from the Identity Theft Resource Center.

"Security researchers believe that the decline in ransomware attacks is due to a combination of factors, including the ongoing conflict in Ukraine and the collapse of cryptocurrencies favored by cybercriminals," the ITRC report notes. "All of these trends – fewer compromises, fewer victims, few ransomware attacks – can be reversed quickly with just a handful of large breaches or a series of smaller ones."  

The ITRC report also says that phishing remained the No. 1 root cause of data compromises in the first half of 2022. Data compromises rose slightly in the second quarter of the year, although the pace of data compromises for the first half of 2022 is down 4% compared with the same period in 2021.

But the ITRC study also shows that the data indicating a downward trend in breaches and ransomware numbers could be an illusion, masked by the nearly 40% of data breach notices that don't include basic information, such as attack vector or a victim count. This is the first time that "unknown" topped the list of data breach causes since the ITRC began tracking data breaches.

So far in 2022, there have been 817 publicly reported data breaches with 53,350,425 victims, down from the record-high 851 recorded by the ITRC in 2021. This includes 802 data breaches with 46,209,107 victims, 10 data exposures affecting 7,136,948 victims, and 5 unknown events numbering 4,370 victims, according to ITRC data.  

In the first half of 2022, 367 entities were affected by 44 third-party/supply chain attacks, including 10 attacks reported in the two previous years. Among those singled out by the report were the Illuminate Education, Ciox Health, and Eye Care Leaders supply chain attacks.

System errors and human errors also contributed to data exposures and included failures to configure cloud security, misconfigured firewalls, and email correspondence containing sensitive information. Physical attacks, which include device theft and improper disposal, resulted in 13 breaches in the second quarter of 2022, for a total of 115,395 victims.

**Ransomware, Phishing Threat to Businesses Still Acute**

As malicious actors move their focus away from individuals, organizations are bearing the brunt of attacks, with global ransomware incidents targeting everything from enterprise servers to grounding an airline.

Data pulled from incident response cases by Unit 42 earlier in the year showed cyber-extortion attacks jumped by 85% as ransomware attackers demanded dramatically higher ransom fees in 2021.

A February report by the ITRC showed phishing is also one of the primary data-breach causes at many organizations in 2021. According to the ITRC, 537 out of 1,613 publicly disclosed breaches in 2021 — or one-third — involved phishing, smishing, or business email compromise.

Malicious actors are moving their focus to small businesses, which are likely to have fewer security resources to combat such attacks — a QuickBooks vishing scam targeting SMBs was just the latest in a string of incidents.

Data Breaches Linked to Ransomware Declined in Q2 2022

Upgrades to the Exostar platform promote secure, compliant collaboration and handling of controlled unclassified information.

**HERNDON, VA, July 12, 2022 –** Exostar, a leader in trusted, secure business collaboration in highly regulated industries including aerospace and defense, today announced the availability of updates to The Exostar Platform that allow small and medium-sized businesses (SMBs) to overcome the technology, time, and cost obstacles of preparing for and demonstrating compliance with Department of Defense (DoD) cybersecurity requirements.

Firms throughout the Defense Industrial Base (DIB), including SMBs deep in the DoD supply chain, will have to acquire Cybersecurity Maturity Model Certification (CMMC) 2.0 certification as soon as May 2023 to participate in subsequent DoD contract solicitations. According to CMMC version 2.0, any member of the DIB that stores or handles Controlled Unclassified Information (CUI) during program execution must meet the 110 practices defined at CMMC Maturity Level 2. Many SMBs simply do not possess the expertise, bandwidth, or budget to go it alone.

Exostar’s Managed Microsoft 365 for CMMC directly addresses these challenges. This managed solution, based on Microsoft Teams and hosted in a Microsoft 365 Government Cloud Computing (GCC) High environment, is designed specifically for SMBs and delivers benefits including:

*   A secure workspace for SMB users within GCC High – without the expense and burden of acquiring, setting up, and managing their own tenant.
*   Rapid onboarding – subscribe today and be working tomorrow.
*   Implementation of the security controls necessary to properly protect CUI – and facilitate compliance with CMMC 2.0 and other DoD cybersecurity standards.
*   Enterprise-grade security at a price SMBs can afford, with room to grow for an enterprise license.

In addition to the launch of Exostar’s Managed Microsoft 365 for CMMC, the company has updated and upgraded its CMMC Ready Suite within The Exostar Platform to provide out-of-the-box support to accelerate SMBs throughout their CMMC 2.0 accreditation journeys:

*   Certification Assistant – Offers plainspoken descriptions of CMMC practices at all three Maturity Levels, helping SMBs to conduct compliance self-assessments and scoring, gather documentation, and prepare for any necessary third-party audits ahead of accreditation.
*   Exostar PolicyPro – Evaluates existing policies (including gap analysis) and/or generates new ones in accordance with all policy requirements defined in CMMC 2.0 practices.
*   CMMC 2.0 Basic Assessment – Provides expert guidance from Exostar-vetted cybersecurity compliance specialist partners who use Exostar’s CMMC Ready Suite to address an SMB’s unique circumstances and accelerate the accreditation process.

“SMBs are the lifeblood of the DIB. While they must improve their cybersecurity capabilities to better protect CUI throughout the DoD supply chain, CMMC 2.0 represents a heavy lift for many of these companies,” said Tony Farinaro, Exostar’s Chief Revenue Officer. “We continue to enhance and expand our CMMC offerings to make it easier and more cost effective for SMBs to meet their obligations so they can stay in the DIB, win business, and keep innovating on behalf of the DoD.”

In addition to SMBs, enterprises also can subscribe to Exostar’s Managed Microsoft 365 for CMMC, as well as purchase the other applications and services in The Exostar Platform’s CMMC Ready Suite, today.

**About Exostar**

The Exostar Platform supports exclusive communities within highly regulated industries where organizations securely collaborate, share information, and operate compliantly. Within these communities, we build trust. More than 150,000 companies and agencies in 175 countries trust Exostar to strengthen security, reduce expenditures, raise productivity, and help them achieve their digital transformation initiatives. Nearly half of the Defense Industrial Base, including 98 of the top 100, transact business over The Exostar Platform. Eleven of the top twenty global biopharmaceutical companies rely on The Exostar Platform to help them speed new medicines and therapies to market. Exostar is a Gartner Cool Vendor. For more information, please visit www.exostar.com, and follow Exostar on LinkedIn and Twitter.

Exostar Empowers SMBs with Enhanced, Low-Cost, Easy-to-Use Microsoft 365 and CMMC 2.0 Solutions

Implemented protections on AWS credentials that were not properly protected.

**WDC Tracking Number:** WDC-22009  
**Published:** July 11, 2022

**Last Updated:** July 11, 2022

**Description**

My Cloud Home Firmware 8.7.0-107 is a major release containing updates to help improve the security of your My Cloud Home devices. Numerous changes were made to the operating system to comprehensively improve its security and to upgrade the user experience to support our latest technologies.

The base operating system has been upgraded from an Android based operating system to the Linux operating system to align with security and stability updates from Debian 10 “Buster”.

Additionally, the Linux kernel has been updated to 4.9.266.

Your My Cloud Home device will be automatically updated to reflect the latest firmware version.    

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud Home

8.7.0-107

July 8, 2022

My Cloud Home Duo

8.7.0-107

July 8, 2022

For more information on the latest security updates, see the release notes.

**Advisory Summary**

A vulnerability in the Linux kernel’s cgroup\_release\_agent\_write was addressed that could lead to escalation of privileges and bypass namespace isolation unexpectedly.  

Addressed an issue in OpenSSL that would make it possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing takes place before the certificate signature verification process, this could lead to a denial-of-service attack.

**CVE Number:** CVE-2022-0778  

Addressed a memory copy vulnerability in the Linux Wi-Fi driver.  

Addressed a command injection attack that could allow a malicious attacker on the same LAN to carry out a DNS spoofing attack via an unsecured HTTP call. This was done by removing the affected code from the product.

**CVE Number:** CVE-2022-22991, CVE-2022-22994

Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative  

A vulnerability was discovered within the parsing of extended attributes (EA) metadata when opening a file in smbd. This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes. This vulnerability was addressed by removing the "fruit" VFS module from the list of configured VFS objects and by changing EA support configurations.

**CVE Number:** CVE-2021-44142

Reported By: Nguyen Hoang Thach (@hi\_im\_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) working with Trend Micro’s Zero Day Initiative  

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.8-0+deb10u1.

**CVE Number:** CVE-2020-20445, CVE-2020-20446, CVE-2020-20453, CVE-2020-21041, CVE-2020-22015, CVE-2020-22016, CVE-2020-22017, CVE-2020-22019, CVE-2020-22020, CVE-2020-22021, CVE-2020-22022, CVE-2020-22023, CVE-2020-22025, CVE-2020-22026, CVE-2020-22027, CVE-2020-22028, CVE-2020-22029, CVE-2020-22030, CVE-2020-22031, CVE-2020-22032, CVE-2020-22033, CVE-2020-22034, CVE-2020-22035, CVE-2020-22036, CVE-2020-22037, CVE-2020-22049, CVE-2020-22054, CVE-2020-35965, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291  

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.9-0+deb10u1.  

Implemented firmware signing to prevent malicious modifications to the firmware and verify the firmware’s authenticity and integrity.  

Transitioned to Go’s crypto/tls library for secure communications.  

Enabled several kernel hardening options to make exploits of kernel and userland security bugs more difficult to develop.  

Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices. Implemented protections on AWS credentials that were not properly protected..

**CVE Number:** CVE-2022-22997, CVE-2022-22998

Western Digital would like to thank Viettel Cyber Security for reporting this issue.  

Addressed multiple libtiff null pointer dereference vulnerabilities by updating the version to 4.4.0.

**CVE Number:** CVE-2022-0562, CVE-2022-0561, CVE-2022-0865  

Addressed an improper input validation and out-of-bounds write vulnerability in TensorFlow which is an open-source platform for machine learning. An attacker could pass negative values to cause a segmentation fault-based denial-of-service attack. Certain components also did not validate input arguments which could also trigger a denial-of-service attack.

**CVE Number:** CVE-2022-29191, CVE-2022-29213, CVE-2022-29208

CVE-2022-22998: WDC-22009 My Cloud Home Firmware Version 8.7.0-107 | Western Digital

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 1 and July 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for July 1 to July 8

Cybersecurity researchers are drawing attention to an ongoing wave of attacks linked to a threat cluster tracked as Raspberry Robin that's behind a Windows malware with worm-like capabilities. 
Describing it as a "persistent" and "spreading" threat, Cybereason said it observed a number of victims in Europe.
The infections involve a worm that propagates over removable USB devices containing

Cybersecurity researchers are drawing attention to an ongoing wave of attacks linked to a threat cluster tracked as Raspberry Robin that's behind a Windows malware with worm-like capabilities.

Describing it as a "persistent" and "spreading" threat, Cybereason said it observed a number of victims in Europe.

The infections involve a worm that propagates over removable USB devices containing malicious a .LNK file and leverages compromised QNAP network-attached storage (NAS) devices for command-and-control. It was first documented by researchers from Red Canary in May 2022.

Also codenamed QNAP worm by Sekoia, the malware leverages a legitimate Windows installer binary called "msiexec.exe" to download and execute a malicious shared library (DLL) from a compromised QNAP NAS appliance.

"To make it harder to detect, Raspberry Robin leverages process injections in three legitimate Windows system processes," Cybereason researcher Loïc Castel said in a technical write-up, adding it "communicates with the rest of \[the\] infrastructure through TOR exit nodes."

Persistence on the compromised machine is achieved by making Windows Registry modifications to load the malicious payload through the Windows binary "rundll32.exe" at the startup phase.

The campaign, which is believed to date back to September 2021, has remained something of a mystery so far, with no clues as to the threat actor's origin or its end goals.

The disclosure comes as QNAP said it's actively investigating a new wave of Checkmate ransomware infections targeting its devices, making it the latest in a series of attacks after AgeLocker, eCh0raix, and DeadBolt.

"Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords," the company noted in an advisory.

"Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE\_DECRYPTION\_README" in each folder."

As precautions, the Taiwanese company recommends customers to not expose SMB services to the internet, improve password strength, take regular backups, and update the QNAP operating system to the latest version.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warn of Raspberry Robin's Worm Targeting Windows Users

Dark Reading's digest of the other don't-miss stories of the week, including a new ransomware targeting QNAP gear, and a destructive attack against the College of the Desert that lingers on.

Cybercrime never sleeps — but editors do. To cap off this short Fourth of July week, Dark Reading's editors are collecting all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would be remiss to not cover.  

We're talking a critical Cisco vulnerability, a Microsoft alert on upgrades to the Hive ransomware, QNAP issues, and a pair of cyberattacks.

In this week's "in case you missed it" (ICYMI) digest, read on for more about the following:

*   **Critical Cisco Security Vulnerability Allows Root Access to OS**
*   **Hive Ransomware Gets a Rust-y Upgrade**
*   **QNAP Warns on "Checkmate" Ransomware Attacks**
*   **"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**
*   **California College Remains Offline After Ransomware Hit**

**Critical Cisco Security Vulnerability Allows Root Access to OS**

Cisco has rolled out patches for 10 security bugs, including a critical flaw that could allow cyberattackers to manipulate application source code, or configuration and critical system files.

The critical issue (CVE-2022-20812, CVSS severity score of 9.0) is a path-traversal vulnerability affecting the Cisco Expressway Series software and Cisco TelePresence VCS software, if they are in the default

"A vulnerability in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS could allow an authenticated, remote attacker with Administrator read-write privileges on the application to conduct absolute path traversal attacks on an affected device and overwrite files on the underlying operating system as a root user," according to the advisory, the latest since Cisco's last bug disclosure in May.

The vulnerability arises thanks to insufficient input validation of user-supplied command arguments, the networking giant noted.

"An attacker could exploit this vulnerability by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command."

**Hive Ransomware Gets a Rust-y Upgrade**

The ransomware-as-a-service (RaaS) offering known as Hive has overhauled its infrastructure, using the programming language Rust.

That's the buzz from Microsoft, whose security researchers noted that Hive is an exemplar of adapting to the rapid change found in the underground economy.

"With its latest variant carrying several major upgrades, Hive also proves it’s one of the fastest-evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," researchers said in a post this week. "The most notable changes include a full code migration to another programming language \[from GoLang to Rust\] and the use of a more complex encryption method."

Rust, a language also used by the BlackCat ransomware, allows advances in coding control, memory usage, resistance to reverse engineering, and access to a range cryptographic libraries, the researchers said.

As for the encryption, "the new Hive variant uses string encryption that can make it more evasive," according to the advisory. “The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.”

**QNAP Warns on "Checkmate" Ransomware Attacks**

QNAP, the network-attached storage (NAS) vendor, is flagging activity against its devices that results in the execution of the Checkmate ransomware.

The cyberattackers are specifically targeting SMB file-sharing services exposed to the Internet, using a dictionary attack to break accounts with weak passwords.

"Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name '!CHECKMATE\_DECRYPTION\_README' in each folder," according to QNAP's advisory this week. It added, "We are thoroughly investigating the case and will provide further information as soon as possible."

Customers of the Taiwan-based appliance maker have been suffering ongoing, relentless ransomware activity — which Dark Reading broke down earlier this week (along with potential defenses) in an extensive roundtable of experts.

To protect their businesses and avoid a ransomware checkmate, users should avoid exposing the SMB service to the internet and should employ strong passwords in any event.

**"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**

IT-supplier bigwig SHI International said this week that it was the target of "a coordinated and professional malware attack."

The New Jersey-based vendor, which has 5,000 employees and 15,000 customers around the world, said that it moved quickly to stop the infection and minimize the impact on SHI’s systems and operations. That meant that some systems, such as SHI’s public websites and email, were knocked offline "while the attack was investigated and the integrity of those systems was assessed."

The SHI staff regained access to email, but as of Thursday the main website was still not operational. The company said in a website notice that IT teams continue to work to bring other systems back online.

It's unclear what the cyberattackers' goal was, but some researchers noted that a supply chain compromise attempt is a real possibility.

“Apart from being a large enterprise, SHI is a major software and hardware provider to several Fortune 500 companies, and while there is no evidence regarding third-party suppliers getting breached or customer data getting exfiltrated, this is certainly too close for comfort for many of their customers," Rajiv Pimplaskar, CEO at Dispersive Holdings, said via email.

**California College Remains Offline After Ransomware Hit**

As the latest example of what happens when IT isn't prepared for a hit, the 12,500-student College of the Desert, a community college in Palm Desert, Calif., remains offline after suffering which researchers suspect was a ransomware attack.

The cyberattack brought down the school's online services and campus phone lines on July 4. As of late Thursday, the school's website still returned a notice that it "is currently experiencing a system-wide outage of most services," including the ability for students to request transcripts, add or drop classes, or register for classes.

"Educational institutions have continued to be a prime target for ransomware groups over the last couple of years," says Josh Rickard, senior security solutions architect at Swimlane, noting that this is the second time College of the Desert has been hit with a malware attack; the first incident took place in August 2020. "To prevent similar attacks in the future and ensure that operations continue to run smoothly, education institutions such as College of the Desert need to devote more resources to information security teams, tools, processes, and products."

Rickard suspects the incident was ransomware due to the severe operational disruption, but it should be noted that College of the Desert has not confirmed that, admitting only to a "computer network disruption."

ICYMI: Critical Cisco RCE Bug, Microsoft Breaks Down Hive, SHI Cyberattack

Authentication shortcomings leave sensitive data at risk

Authentication shortcomings leave sensitive data at risk

Fewer than half of small and medium-sized businesses are using multi-factor authentication (MFA) to secure critical data, according to new research.

The Cyber Readiness Institute's Global Small Business Multi-Factor Authentication (MFA) study found that most are still relying only on usernames and passwords to secure employee, customer, and partner data. Only 46% have implemented MFA, with just 13% requiring its use for most account or application access by employees.

Catch up on the latest authentication news

Meanwhile, of those that do use MFA, only 39% have a process for prioritizing critical hardware, software, and data, with 49% merely “encouraging the use of MFA when it is available”.

"Using a strong password is important, but complexity alone isn’t enough; adding a second layer of protection with multi-factor authentication is the best way to secure access to personal accounts," said Meg Anderson, vice president-chief information security officer at Principal Financial Group.

"MFA makes it more difficult for potential cybercriminals to gain access and steal company data – even if they have, or guess, your password."

**What’s the benefit?**

Lack of awareness appears to be the main reason for the low take-up of more advanced authentication options. Indeed, 55% of small and medium-sized businesses surveyed said they were “not very aware” of MFA and its security benefits, and only 40% have discussed it with their employees. Meanwhile, of those that haven't implemented MFA, 47% said they either didn’t understand it or didn’t see its value.

Karen Evans, managing director of CRI, told The Daily Swig: "Unfortunately, I’m not surprised. Some small businesses hear a term like ‘multi-factor authentication’ and think it doesn’t apply to them or they don’t need to worry about it."

Evans continued: "With good security practices and office cultures supporting proactive measures, we can assist the SMBs to reduce their risks, rather than simply convincing people it won’t be hard to implement and costly to utilize."

**Blockers**

Other barriers to the use of MFA cited in the study include a lack of funding for tools, implementation resources, and maintenance costs, as well as a lack of technical expertise.

These issues, though, shouldn't be barriers, according to Evans.

"Many of the products and services have two-factor and multi-factor capabilities already built in. It is assisting SMBs to understand how to take advantage of the capabilities they have already purchased," she said.

"There are also changes coming in the future as it relates to going passwordless in operating systems allowing security to be built in up front, making the services more affordable for their customers."

RELATED Cloudflare CTO John Graham-Cumming envisages a frictionless future for website Turing tests

SMEs slow to adopt MFA – study

Avaya, a communications company for SMBs, was left in the dark for years as insiders stole and sold its license keys.
The post Insider Threat: Employees indicted for stealing $88 million of license keys appeared first on Malwarebytes Labs.

Two insiders and an accomplice were indicted on Tuesday for multiple counts of fraud. According to documents unsealed by the Wester District of Oaklahoma, a grand jury charged Raymond Bradley Pearce (aka Brad Pearce), a former employee of Avaya; Dusti O. Pearce, his wife; and Jason M. Hines (aka Joe Brown, aka Chad Johnson, aka Justin Albaum), a former Avaya authorized reseller, with conspiracy to commit wire fraud and 13 counts of wire fraud. The court also charged the Pearces with one count of conspiracy to commit money laundering, and money laundering.

Avaya is a business-to-business (B2B) communications company catering to small- and medium-sized businesses. It sold a product called IP Office, a kind of telephone system, that depended on software licenses to fully use its features, such as voicemail or more telephones.

These licenses were generated within Avaya and sold via authorized distributors and resellers. Avaya required each software license to be linked to a physical flash memory card with a unique serial number. This card had to be plugged into a computer to activate the license.

Avaya introduced Avaya Cloud Office in 2020 and replaced IP Office. However, many businesses worldwide continue to use the latter through license renewals.

Per the indictment, Brad Pearce, a former Avaya customer service employee, abused his administrator privileges to create software license keys and sell them to Jason Hines, a de-authorized reseller, and other customers. They then sold the keys to other resellers and end-users globally.

Pearce also hijacked accounts of former Avaya employees to generate more license keys and draw suspicion away from him. He also used his privileges to conceal evidence that such accounts were generating keys, leaving Avaya in the dark for years.

Dani Pearce allegedly took the accountant and financial manager role in their illegal business operation.

Hines, who operated Direct Business Services International (DBSI), presumably sold the licenses at a much lower price than Avaya’s standard wholesale price. This caused an estimated $88 million in financial damage to Avaya.

All money the Pearces received went to multiple PayPal accounts, bounced to different bank accounts, and then routed to investment accounts. The document further revealed the couple invested in valuable items and large quantities of gold bullion.

According to the fourth installment of the annual insider threats report released by Proofpoint and the Ponemon Institute, insider threat incidents have increased in frequency and cost. Of the more than 6,000 incidents they looked into, 26 percent of them are criminal insiders, the category Pearce and Hines might belong to.

The report, if anything, paints a harrowing picture of the increased risk of insider threats. And non-enterprise organizations aren’t immune to it. More than ever, it is essential for companies of all sizes to take action to reduce this risk.

**Combatting insider threats**

Every organization should acquaint itself with the differet types of insider threats they might have to deal with. Controlling insider threats includes (but is not limited to):

*   Identifying risks that may be unique to your industry.
*   Assigning access rights according to the principle of least privilege.
*   Propper logging and auditing of user activity.

Lastly, organizations should also refer to the common sense guide to mitigating insider threats. A thorough but non-exhaustive list of insider threat references on the same site.

Stay safe!

Insider Threat: Employees indicted for stealing $88 million of license keys

NVIDIA DGX A100 contains a vulnerability in SBIOS in the BiosCfgTool, where a local user with elevated privileges can read and write beyond intended bounds in SMRAM, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. The scope of impact can extend to other components.

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2022‑28200

NVIDIA DGX A100 contains a vulnerability in SBIOS in the BiosCfgTool, where a local user with elevated privileges can read and write beyond intended bounds in SMRAM, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. The scope of impact can extend to other components.

8.2

AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2022‑31599

NVIDIA DGX A100 contains a vulnerability in SBIOS in the Ofbd, where a local user with elevated privileges can cause access to an uninitialized pointer, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. The scope of impact can extend to other components.

8.2

AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2022‑31600

NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmmCore, where a user with high privileges can chain another vulnerability to this vulnerability, causing an integer overflow, possibly leading to code execution, escalation of privileges, denial of service, compromised integrity, and information disclosure. The scope of impact can extend to other components.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2022‑31601

NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmbiosPei, which may allow a highly privileged local attacker to cause an out-of-bounds write, which may lead to code execution, denial of service, compromised integrity, and information disclosure.

6.7

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑31602

NVIDIA DGX A100 contains a vulnerability in SBIOS in the IpSecDxe, where a user with elevated privileges and a preconditioned heap can exploit an out-of-bounds write vulnerability, which may lead to code execution, denial of service, data integrity impact, and information disclosure.

6.4

AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑31603

NVIDIA DGX A100 contains a vulnerability in SBIOS in the IpSecDxe, where a user with high privileges and preconditioned IpSecDxe global data can exploit improper validation of an array index to cause code execution, which may lead to denial of service, data integrity impact, and information disclosure.

6.4

AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends evaluating the risk to your specific configuration.

**Security Updates**

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

To protect your system, download and install this firmware update through the NVIDIA Enterprise Support Portal.

**Hardware Platform**

**Affected Versions**

**Updated Version**

NVIDIA DGX A100

All versions prior to 22.5.5

22.5.5

**Notes:**

*   Upgrade to NVIDIA DGX A100 firmware container nvfw‑nvfw‑dgxa100_22.5.5_220518.tar.gz to get the updated firmware and SBIOS version listed in the table above. Firmware updates are available through the NVIDIA Enterprise Support Portal.

**Mitigations**

None. See Security Updates for the version to install.

**Acknowledgements**

The NVIDIA Product Security Team discovered these issues.

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

June 7, 2022

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2022-28200: Security Bulletin: NVIDIA DGX A100 Firmware - June 2022

The package link-preview-js before 2.1.16 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.



New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

keworr opened this issue

May 25, 2022

· 17 comments · Fixed by #117

Closed

**SSRF #115**

keworr opened this issue

May 25, 2022

· 17 comments · Fixed by #117

**Comments**

**Describe**  
There is a way to bypass your regex to validate private & local networks.

If we use http://127.0.0.1/ or http://localhost/ to link preview, we don't see it (Error: link-preview-js did not receive a valid a url or text), but if we use a domain that resolved to 127.0.0.1, we can. For example: localtest.me resolved to 127.0.0.1 (localhost), i.e. If you 'curl localtest.me', you'll see your localhost.

Similarly we can read any other private & local address, any port.

**To Reproduce**  
Steps to reproduce:

1.  Find domain that resolved to private address with reverse ip lookup or use localtest.me (127.0.0.1) or devhead.net (127.0.0.1 + 192.168.1.1 + 192.168.0.1).
2.  Write it to getLinkPreview.
3.  Done. You see your local domain.

**Screenshots**  

Which version are you using? At some point, someone submitted a PR to patch redirections, by default it should not follow any.

I don't quite get what is the issue though... these sites seem to register the loopback address on DNS level. Even curl returns the data of the directory, then it also means that curl has an SSRF vulnerability?

The regex is not a security feature, it's only a way to detect links in the text. As stated, the library does not follow redirections by default.

#105

But you accepted same SSRF here - #105?

I really don't understand what you mean. In that issue, the author submitted a PR not to follow redirects, which is now the default behavior. The same author complained that it is possible to pass the regex with a localhost url, like I said, the regex is not meant to be a security feature, it is only there for link detection. Once the url is passed to the fetch library, there is no way to re-validate the url (even if the regex was meant to do that, which it is not) . On the other hand, I already showed you that curl also has this same behavior, because the domains you send use the localhost address on a DNS level, so that means (as far as I can see) that there is no SSRF vulnerability, this is just the expected behavior.

Copy link

Author

** **keworr** commented May 25, 2022 •**

Redirects were disabled in that issue because it allows to read local hosts, right?  
And my way also allows to read local hosts?  
idk what is different

Yes, curl by default allow same, also curl allow requests as curl file:///etc/passwd by default, SMB requests, FTP, etc. Also e.g. any browsers allow redirects by default, but you disabled it.

I just saw that issue and thought that SSRF is sensitive here, if not - ok.

redirects were disallowed not because localhost, but because redirections are by default insecure. Your way allows to reach localhost, not because the library is doing something wrong, but because the domains you provided loopback to localhost **on the DNS level**, they are not intercepting the request and redirecting, they are straight up returning 127.0.0.1 when their DNS address is resolved. There is nothing I can do about that.

@ospfranco first of all i install lastest version of package for testing my local machine and cant see followRedirects option in source could there be a problem with npm? can you check please

Second of all i agree with @keworr this vulnerability is called DNS pinning (or DNS rebinding) and it allow to bypass all control mechanism on DNS level but library has proxy option and the purpose of proxy is to fix such DNS level problems and vulnerabilities. But if we want the library to prevent such DNS level attacks as well we can fix this by dns lookup before make request

hi @AbdurrahmanA, you are right I published a new version of the package, probably some cache was left on my machine when I published one of the newer versions. Thanks a lot!

Thanks a lot for the explanation, that was what I needed. This StackOverflow answer seems to suggest there is no way to resolve the DNS address from JavaScript, seems like the solution is to self-host a proxy?

Actually if we added that kind of option to library it would be great i would love have that option. We can easily do nslookup for server side, for client side we can use https://dns.google/resolve?name=localtest.me or that option wont be available for client side. By the way this library should not be in client side it wil get lots of CORS error 😁

If you mean hardcoding a DNS service, not a fan (and especially google's), but maybe an option to pass a DNS resolver if one chooses to do so.

The library will face CORS errors on websites, on React Native, Cordova, etc it works just fine

We can easily set DNS resolver for Node js side, but if we do this using native dns library, will it be a problem for client-side users? otherwise we should make an online dns resolver option right?

I'm still not sure if the DNS resolver should always be there, just from a latency point of view, it might affect people who have already deployed this. But just passing a function that resolves the host might be enough for us to check against common attacks?

    getLinkPreview('some text with a link', {
      // Must resolve the url host, internally checks for loopbacks and common SSRF attacks
      resolveDNSHost: (url: string) => Promise<string>
    })
    

On the other hand, I don't think this would be an issue on mobiles. Almost nobody has a server running on the phone for the loopback address to be considered dangerous. Maybe conditionally importing/requiring the DNS resolver on node is enough...

Sorry for late response, Yes we just need the DNS resolver on node can we do that and also, we need to warn people about common SSRF vulnerabilities and make sure people understand what this library does.

Most people won't care 🤷‍♂️ they barely read the CORS warning. But I'll try to find some time in the coming weeks to add the option, otherwise PRs are welcome

Great to hear that, i could also do it if i have time, i will inform you 👌

Tag

#samba